feat: allow prometheus for only authorized users (#12121)

allow restrictions on who can access Prometheus endpoint, additionally add prometheus as part of diagnostics canned policy. Signed-off-by: Harshavardhana <harsha@minio.io>
2025-01-25 21:53:16 -05:00 · 2021-04-22 18:55:30 -07:00 · 2021-04-22 18:55:30 -07:00 · d0d67f9de0
commit d0d67f9de0
parent 4438124948
3 changed files with 19 additions and 2 deletions
--- a/cmd/metrics.go
+++ b/cmd/metrics.go
@ -23,6 +23,7 @@ import (
 	"time"

 	"github.com/minio/minio/cmd/logger"
+	iampolicy "github.com/minio/minio/pkg/iam/policy"
 	"github.com/minio/minio/pkg/madmin"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
@ -751,11 +752,22 @@ func metricsHandler() http.Handler {
 // AuthMiddleware checks if the bearer token is valid and authorized.
 func AuthMiddleware(h http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		claims, _, authErr := webRequestAuthenticate(r)
+		claims, owner, authErr := webRequestAuthenticate(r)
 		if authErr != nil || !claims.VerifyIssuer("prometheus", true) {
 			w.WriteHeader(http.StatusForbidden)
 			return
 		}
+		// For authenticated users apply IAM policy.
+		if !globalIAMSys.IsAllowed(iampolicy.Args{
+			AccountName:     claims.AccessKey,
+			Action:          iampolicy.PrometheusAdminAction,
+			ConditionValues: getConditionValues(r, "", claims.AccessKey, claims.Map()),
+			IsOwner:         owner,
+			Claims:          claims.Map(),
+		}) {
+			w.WriteHeader(http.StatusForbidden)
+			return
+		}
 		h.ServeHTTP(w, r)
 	})
 }
--- a/pkg/iam/policy/admin-action.go
+++ b/pkg/iam/policy/admin-action.go
@ -31,6 +31,8 @@ const (

 	// StorageInfoAdminAction - allow listing server info
 	StorageInfoAdminAction = "admin:StorageInfo"
+	// PrometheusAdminAction - prometheus info action
+	PrometheusAdminAction = "admin:Prometheus"
 	// DataUsageInfoAdminAction - allow listing data usage info
 	DataUsageInfoAdminAction = "admin:DataUsageInfo"
 	// ForceUnlockAdminAction - allow force unlocking locks
@ -141,6 +143,7 @@ var supportedAdminActions = map[AdminAction]struct{}{
 	DataUsageInfoAdminAction:        {},
 	TopLocksAdminAction:             {},
 	ProfilingAdminAction:            {},
+	PrometheusAdminAction:           {},
 	TraceAdminAction:                {},
 	ConsoleLogAdminAction:           {},
 	KMSKeyStatusAdminAction:         {},
--- a/pkg/iam/policy/constants.go
+++ b/pkg/iam/policy/constants.go
@ -76,7 +76,9 @@ var AdminDiagnostics = Policy{
 			Actions: NewActionSet(ProfilingAdminAction,
 				TraceAdminAction, ConsoleLogAdminAction,
 				ServerInfoAdminAction, TopLocksAdminAction,
-				HealthInfoAdminAction, BandwidthMonitorAction),
+				HealthInfoAdminAction, BandwidthMonitorAction,
+				PrometheusAdminAction,
+			),
 			Resources: NewResourceSet(NewResource("*", "")),
 		},
 	},